From f2cfa1dc0306bedb5212f0f98ce4bade55af0332 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 5 Sep 2023 22:19:38 -0400 Subject: [PATCH 1/2] Convert src/rust/src/x509/common.rs --- src/rust/src/types.rs | 8 ++++++ src/rust/src/x509/common.rs | 50 ++++++++++++++++--------------------- 2 files changed, 30 insertions(+), 28 deletions(-) diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 09968c338c37..d785e9fb34ac 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -216,6 +216,14 @@ pub static TLS_FEATURE_TYPE_TO_ENUM: LazyPyImport = LazyPyImport::new( "cryptography.x509.extensions", &["_TLS_FEATURE_TYPE_TO_ENUM"], ); +pub static REGISTERED_ID: LazyPyImport = LazyPyImport::new("cryptography.x509", &["RegisteredID"]); +pub static DIRECTORY_NAME: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["DirectoryName"]); +pub static UNIFORM_RESOURCE_IDENTIFIER: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["UniformResourceIdentifier"]); +pub static DNS_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["DNSName"]); +pub static RFC822_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["RFC822Name"]); +pub static OTHER_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["OtherName"]); pub static OCSP_RESPONSE_STATUS: LazyPyImport = LazyPyImport::new("cryptography.x509.ocsp", &["OCSPResponseStatus"]); diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 10a6a8bff50b..125397c11b0d 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -108,21 +108,21 @@ pub(crate) fn encode_general_name<'a>( py: pyo3::Python<'a>, gn: &'a pyo3::PyAny, ) -> Result, CryptographyError> { - let gn_module = py.import(pyo3::intern!(py, "cryptography.x509.general_name"))?; let gn_type = gn.get_type().as_ref(); let gn_value = gn.getattr(pyo3::intern!(py, "value"))?; - if gn_type.is(gn_module.getattr(pyo3::intern!(py, "DNSName"))?) { + + if gn_type.is(types::DNS_NAME.get(py)?) { Ok(GeneralName::DNSName(UnvalidatedIA5String( gn_value.extract::<&str>()?, ))) - } else if gn_type.is(gn_module.getattr(pyo3::intern!(py, "RFC822Name"))?) { + } else if gn_type.is(types::RFC822_NAME.get(py)?) { Ok(GeneralName::RFC822Name(UnvalidatedIA5String( gn_value.extract::<&str>()?, ))) - } else if gn_type.is(gn_module.getattr(pyo3::intern!(py, "DirectoryName"))?) { + } else if gn_type.is(types::DIRECTORY_NAME.get(py)?) { let name = encode_name(py, gn_value)?; Ok(GeneralName::DirectoryName(name)) - } else if gn_type.is(gn_module.getattr(pyo3::intern!(py, "OtherName"))?) { + } else if gn_type.is(types::OTHER_NAME.get(py)?) { Ok(GeneralName::OtherName(OtherName { type_id: py_oid_to_oid(gn.getattr(pyo3::intern!(py, "type_id"))?)?, value: asn1::parse_single(gn_value.extract::<&[u8]>()?).map_err(|e| { @@ -132,16 +132,16 @@ pub(crate) fn encode_general_name<'a>( )) })?, })) - } else if gn_type.is(gn_module.getattr(pyo3::intern!(py, "UniformResourceIdentifier"))?) { + } else if gn_type.is(types::UNIFORM_RESOURCE_IDENTIFIER.get(py)?) { Ok(GeneralName::UniformResourceIdentifier( UnvalidatedIA5String(gn_value.extract::<&str>()?), )) - } else if gn_type.is(gn_module.getattr(pyo3::intern!(py, "IPAddress"))?) { + } else if gn_type.is(types::IPADDRESS.get(py)?) { Ok(GeneralName::IPAddress( gn.call_method0(pyo3::intern!(py, "_packed"))? .extract::<&[u8]>()?, )) - } else if gn_type.is(gn_module.getattr(pyo3::intern!(py, "RegisteredID"))?) { + } else if gn_type.is(types::REGISTERED_ID.get(py)?) { let oid = py_oid_to_oid(gn_value)?; Ok(GeneralName::RegisteredID(oid)) } else { @@ -242,41 +242,37 @@ pub(crate) fn parse_general_name( py: pyo3::Python<'_>, gn: GeneralName<'_>, ) -> Result { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let py_gn = match gn { GeneralName::OtherName(data) => { let oid = oid_to_py_oid(py, &data.type_id)?.to_object(py); - x509_module - .call_method1( - pyo3::intern!(py, "OtherName"), - (oid, data.value.full_data()), - )? + types::OTHER_NAME + .get(py)? + .call1((oid, data.value.full_data()))? .to_object(py) } - GeneralName::RFC822Name(data) => x509_module - .getattr(pyo3::intern!(py, "RFC822Name"))? + GeneralName::RFC822Name(data) => types::RFC822_NAME + .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), - GeneralName::DNSName(data) => x509_module - .getattr(pyo3::intern!(py, "DNSName"))? + GeneralName::DNSName(data) => types::DNS_NAME + .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::DirectoryName(data) => { let py_name = parse_name(py, data.unwrap_read())?; - x509_module - .call_method1(pyo3::intern!(py, "DirectoryName"), (py_name,))? + types::DIRECTORY_NAME + .get(py)? + .call1((py_name,))? .to_object(py) } - GeneralName::UniformResourceIdentifier(data) => x509_module - .getattr(pyo3::intern!(py, "UniformResourceIdentifier"))? + GeneralName::UniformResourceIdentifier(data) => types::UNIFORM_RESOURCE_IDENTIFIER + .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::IPAddress(data) => { if data.len() == 4 || data.len() == 16 { let addr = types::IPADDRESS_IPADDRESS.get(py)?.call1((data,))?; - x509_module - .call_method1(pyo3::intern!(py, "IPAddress"), (addr,))? - .to_object(py) + types::IPADDRESS.get(py)?.call1((addr,))?.to_object(py) } else { // if it's not an IPv4 or IPv6 we assume it's an IPNetwork and // verify length in this function. @@ -285,9 +281,7 @@ pub(crate) fn parse_general_name( } GeneralName::RegisteredID(data) => { let oid = oid_to_py_oid(py, &data)?.to_object(py); - x509_module - .call_method1(pyo3::intern!(py, "RegisteredID"), (oid,))? - .to_object(py) + types::REGISTERED_ID.get(py)?.call1((oid,))?.to_object(py) } _ => { return Err(CryptographyError::from( From d47c7a8cd2d675ff9c7bf97e3b29f88950db4eab Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 5 Sep 2023 22:29:27 -0400 Subject: [PATCH 2/2] Convert src/rust/src/x509/certificate.rs --- src/rust/src/types.rs | 50 +++++++++-- src/rust/src/x509/certificate.rs | 138 +++++++++++-------------------- 2 files changed, 88 insertions(+), 100 deletions(-) diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index d785e9fb34ac..8bfcf905d842 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -207,6 +207,48 @@ pub static RELATIVE_DISTINGUISHED_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["RelativeDistinguishedName"]); pub static NAME_ATTRIBUTE: LazyPyImport = LazyPyImport::new("cryptography.x509", &["NameAttribute"]); +pub static NAME_CONSTRAINTS: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["NameConstraints"]); +pub static MS_CERTIFICATE_TEMPLATE: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["MSCertificateTemplate"]); +pub static CRL_DISTRIBUTION_POINTS: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["CRLDistributionPoints"]); +pub static BASIC_CONSTRAINTS: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["BasicConstraints"]); +pub static INHIBIT_ANY_POLICY: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["InhibitAnyPolicy"]); +pub static OCSP_NO_CHECK: LazyPyImport = LazyPyImport::new("cryptography.x509", &["OCSPNoCheck"]); +pub static POLICY_CONSTRAINTS: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["PolicyConstraints"]); +pub static CERTIFICATE_POLICIES: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["CertificatePolicies"]); +pub static SUBJECT_INFORMATION_ACCESS: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["SubjectInformationAccess"]); +pub static KEY_USAGE: LazyPyImport = LazyPyImport::new("cryptography.x509", &["KeyUsage"]); +pub static EXTENDED_KEY_USAGE: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["ExtendedKeyUsage"]); +pub static SUBJECT_KEY_IDENTIFIER: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["SubjectKeyIdentifier"]); +pub static TLS_FEATURE: LazyPyImport = LazyPyImport::new("cryptography.x509", &["TLSFeature"]); +pub static SUBJECT_ALTERNATIVE_NAME: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["SubjectAlternativeName"]); +pub static POLICY_INFORMATION: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["PolicyInformation"]); +pub static USER_NOTICE: LazyPyImport = LazyPyImport::new("cryptography.x509", &["UserNotice"]); +pub static NOTICE_REFERENCE: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["NoticeReference"]); +pub static REGISTERED_ID: LazyPyImport = LazyPyImport::new("cryptography.x509", &["RegisteredID"]); +pub static DIRECTORY_NAME: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["DirectoryName"]); +pub static UNIFORM_RESOURCE_IDENTIFIER: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["UniformResourceIdentifier"]); +pub static DNS_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["DNSName"]); +pub static RFC822_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["RFC822Name"]); +pub static OTHER_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["OtherName"]); +pub static CERTIFICATE_VERSION_V1: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["Version", "v1"]); +pub static CERTIFICATE_VERSION_V3: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["Version", "v3"]); pub static CRL_REASON_FLAGS: LazyPyImport = LazyPyImport::new("cryptography.x509.extensions", &["_CRLREASONFLAGS"]); @@ -216,14 +258,6 @@ pub static TLS_FEATURE_TYPE_TO_ENUM: LazyPyImport = LazyPyImport::new( "cryptography.x509.extensions", &["_TLS_FEATURE_TYPE_TO_ENUM"], ); -pub static REGISTERED_ID: LazyPyImport = LazyPyImport::new("cryptography.x509", &["RegisteredID"]); -pub static DIRECTORY_NAME: LazyPyImport = - LazyPyImport::new("cryptography.x509", &["DirectoryName"]); -pub static UNIFORM_RESOURCE_IDENTIFIER: LazyPyImport = - LazyPyImport::new("cryptography.x509", &["UniformResourceIdentifier"]); -pub static DNS_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["DNSName"]); -pub static RFC822_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["RFC822Name"]); -pub static OTHER_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["OtherName"]); pub static OCSP_RESPONSE_STATUS: LazyPyImport = LazyPyImport::new("cryptography.x509.ocsp", &["OCSPResponseStatus"]); diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index d314386fc211..5ebd7a24e002 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -297,14 +297,9 @@ impl Certificate { } fn cert_version(py: pyo3::Python<'_>, version: u8) -> Result<&pyo3::PyAny, CryptographyError> { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; match version { - 0 => Ok(x509_module - .getattr(pyo3::intern!(py, "Version"))? - .get_item(pyo3::intern!(py, "v1"))?), - 2 => Ok(x509_module - .getattr(pyo3::intern!(py, "Version"))? - .get_item(pyo3::intern!(py, "v3"))?), + 0 => Ok(types::CERTIFICATE_VERSION_V1.get(py)?), + 2 => Ok(types::CERTIFICATE_VERSION_V3.get(py)?), _ => Err(CryptographyError::from( exceptions::InvalidVersion::new_err(( format!("{} is not a valid X509 version", version), @@ -450,7 +445,6 @@ fn parse_user_notice( py: pyo3::Python<'_>, un: UserNotice<'_>, ) -> Result { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let et = match un.explicit_text { Some(data) => parse_display_text(py, data)?, None => py.None(), @@ -462,15 +456,14 @@ fn parse_user_notice( for num in data.notice_numbers.unwrap_read().clone() { numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?.to_object(py))?; } - x509_module - .call_method1(pyo3::intern!(py, "NoticeReference"), (org, numbers))? + types::NOTICE_REFERENCE + .get(py)? + .call1((org, numbers))? .to_object(py) } None => py.None(), }; - Ok(x509_module - .call_method1(pyo3::intern!(py, "UserNotice"), (nr, et))? - .to_object(py)) + Ok(types::USER_NOTICE.get(py)?.call1((nr, et))?.to_object(py)) } fn parse_policy_qualifiers<'a>( @@ -512,7 +505,6 @@ fn parse_cp( ext: &Extension<'_>, ) -> Result { let cp = ext.value::>>()?; - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let certificate_policies = pyo3::types::PyList::empty(py); for policyinfo in cp { let pi_oid = oid_to_py_oid(py, &policyinfo.policy_identifier)?.to_object(py); @@ -522,8 +514,9 @@ fn parse_cp( } None => py.None(), }; - let pi = x509_module - .call_method1(pyo3::intern!(py, "PolicyInformation"), (pi_oid, py_pqis))? + let pi = types::POLICY_INFORMATION + .get(py)? + .call1((pi_oid, py_pqis))? .to_object(py); certificate_policies.append(pi)?; } @@ -669,24 +662,19 @@ pub fn parse_cert_ext<'p>( py: pyo3::Python<'p>, ext: &Extension<'_>, ) -> CryptographyResult> { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; match ext.extn_id { oid::SUBJECT_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let sans = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "SubjectAlternativeName"))? - .call1((sans,))?, + types::SUBJECT_ALTERNATIVE_NAME.get(py)?.call1((sans,))?, )) } oid::ISSUER_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "IssuerAlternativeName"))? - .call1((ians,))?, + types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?, )) } oid::TLS_FEATURE_OID => { @@ -697,17 +685,13 @@ pub fn parse_cert_ext<'p>( let py_feature = tls_feature_type_to_enum.get_item(feature.to_object(py))?; features.append(py_feature)?; } - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "TLSFeature"))? - .call1((features,))?, - )) + Ok(Some(types::TLS_FEATURE.get(py)?.call1((features,))?)) } oid::SUBJECT_KEY_IDENTIFIER_OID => { let identifier = ext.value::<&[u8]>()?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "SubjectKeyIdentifier"))? + types::SUBJECT_KEY_IDENTIFIER + .get(py)? .call1((identifier,))?, )) } @@ -717,101 +701,71 @@ pub fn parse_cert_ext<'p>( let oid_obj = oid_to_py_oid(py, &oid)?; ekus.append(oid_obj)?; } - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "ExtendedKeyUsage"))? - .call1((ekus,))?, - )) + Ok(Some(types::EXTENDED_KEY_USAGE.get(py)?.call1((ekus,))?)) } oid::KEY_USAGE_OID => { let kus = ext.value::>()?; - Ok(Some( - x509_module.getattr(pyo3::intern!(py, "KeyUsage"))?.call1(( - kus.digital_signature(), - kus.content_comitment(), - kus.key_encipherment(), - kus.data_encipherment(), - kus.key_agreement(), - kus.key_cert_sign(), - kus.crl_sign(), - kus.encipher_only(), - kus.decipher_only(), - ))?, - )) + Ok(Some(types::KEY_USAGE.get(py)?.call1(( + kus.digital_signature(), + kus.content_comitment(), + kus.key_encipherment(), + kus.data_encipherment(), + kus.key_agreement(), + kus.key_cert_sign(), + kus.crl_sign(), + kus.encipher_only(), + kus.decipher_only(), + ))?)) } oid::AUTHORITY_INFORMATION_ACCESS_OID => { let ads = parse_access_descriptions(py, ext)?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "AuthorityInformationAccess"))? - .call1((ads,))?, + types::AUTHORITY_INFORMATION_ACCESS.get(py)?.call1((ads,))?, )) } oid::SUBJECT_INFORMATION_ACCESS_OID => { let ads = parse_access_descriptions(py, ext)?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "SubjectInformationAccess"))? - .call1((ads,))?, + types::SUBJECT_INFORMATION_ACCESS.get(py)?.call1((ads,))?, )) } oid::CERTIFICATE_POLICIES_OID => { let cp = parse_cp(py, ext)?; - Ok(Some(x509_module.call_method1( - pyo3::intern!(py, "CertificatePolicies"), - (cp,), - )?)) + Ok(Some(types::CERTIFICATE_POLICIES.get(py)?.call1((cp,))?)) } oid::POLICY_CONSTRAINTS_OID => { let pc = ext.value::()?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "PolicyConstraints"))? - .call1((pc.require_explicit_policy, pc.inhibit_policy_mapping))?, - )) + Ok(Some(types::POLICY_CONSTRAINTS.get(py)?.call1(( + pc.require_explicit_policy, + pc.inhibit_policy_mapping, + ))?)) } oid::OCSP_NO_CHECK_OID => { ext.value::<()>()?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "OCSPNoCheck"))? - .call0()?, - )) + Ok(Some(types::OCSP_NO_CHECK.get(py)?.call0()?)) } oid::INHIBIT_ANY_POLICY_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "InhibitAnyPolicy"))? - .call1((pynum,))?, - )) + Ok(Some(types::INHIBIT_ANY_POLICY.get(py)?.call1((pynum,))?)) } oid::BASIC_CONSTRAINTS_OID => { let bc = ext.value::()?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "BasicConstraints"))? + types::BASIC_CONSTRAINTS + .get(py)? .call1((bc.ca, bc.path_length))?, )) } oid::AUTHORITY_KEY_IDENTIFIER_OID => Ok(Some(parse_authority_key_identifier(py, ext)?)), oid::CRL_DISTRIBUTION_POINTS_OID => { let dp = parse_distribution_points(py, ext)?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "CRLDistributionPoints"))? - .call1((dp,))?, - )) + Ok(Some(types::CRL_DISTRIBUTION_POINTS.get(py)?.call1((dp,))?)) } oid::FRESHEST_CRL_OID => { let dp = parse_distribution_points(py, ext)?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "FreshestCRL"))? - .call1((dp,))?, - )) + Ok(Some(types::FRESHEST_CRL.get(py)?.call1((dp,))?)) } oid::NAME_CONSTRAINTS_OID => { let nc = ext.value::>()?; @@ -824,19 +778,19 @@ pub fn parse_cert_ext<'p>( None => py.None(), }; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "NameConstraints"))? + types::NAME_CONSTRAINTS + .get(py)? .call1((permitted_subtrees, excluded_subtrees))?, )) } oid::MS_CERTIFICATE_TEMPLATE => { let ms_cert_tpl = ext.value::()?; let py_oid = oid_to_py_oid(py, &ms_cert_tpl.template_id)?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "MSCertificateTemplate"))? - .call1((py_oid, ms_cert_tpl.major_version, ms_cert_tpl.minor_version))?, - )) + Ok(Some(types::MS_CERTIFICATE_TEMPLATE.get(py)?.call1(( + py_oid, + ms_cert_tpl.major_version, + ms_cert_tpl.minor_version, + ))?)) } _ => Ok(None), }